False Alarm: Phishing Attack Against DNC Was Just a Test

A screenshot of the login page for Votebuilder, the Democrat's voter database

A website that appeared to be part of a phishing campaign designed to gain access to the Democratic National Committee's voter database has turned out to be part of an uncoordinated security exercise. The false alarm has highlighted the benefits of actively monitoring for election interference efforts.

At first, the DNC believed that the phishing site was designed to steal access credentials for its cloud-based voter database.

On Thursday, however, the DNC said it had traced the fake site's creation to the Michigan Democratic Party, which hired a third-party contractor to conduct a phishing test, the Washington Post reports. But that branch of the party failed to notify the national DNC, which swiftly reported the phishing site to the FBI after it was discovered.

The bogus website mimicked the login page for a web-based service used by the DNC called Votebuilder, which is maintained by a progressive-leaning technology company, NGP VAN. It contains the DNC's database of voters.

U.S. intelligence agencies concluded that Russia created bogus login pages for services such as Gmail and Yahoo to commandeer the email accounts of top Democratic officials, as part of a wide-ranging interference campaign that also employed social media.

DNC: Not A Bad Test, Actually

At first glance, the lack of coordination between DNC headquarters and its Michigan chapter might seem embarrassing. But security experts say this was a perfect tabletop exercise designed to test alert mechanisms and response times.

"Ignore the smug and partisan sniping-to-come [regarding the] attempted DNC hack: a mock red-team attack that is closely held and quickly discovered is exactly what you want to happen," writes Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies, on Twitter. "This is probably a good thing."

Ignore the smug and partisan sniping-to-come re: attempted DNC hack: a mock red-team attack that is closely held and quickly discovered is exactly what you want to happen. This is probably a good thing. https://t.co/wdnsepJWAb

In a tweet, Bob Lord, CSO of the DNC, said actions will be taken to ensure the organization isn't caught off guard again. Even so, he believes that in this discovery of an alleged phishing campaign, "some things went really well."

While we're going to implement guardrails so we're informed of advanced security testing, some things went _really_ well: The security community gathered and made some tough calls quickly. Also, the internal the flow of information was fast within the DNC, and to state parties.

Quick Detection

Kudos for the discovery of the fake DNC voter database login page goes to mobile security firm Lookout. Mike Murray, who leads San Francisco-based Lookout's security intelligence group, says the company has built a system to quickly detect potential phishing sites before attackers can send out emails with links to the bogus pages.

Murray says his team discovered the phishing site within 30 minutes of it going live.

Lookout continued to monitor the site as it was under development, noticing that within an hour a username and password field had also been added, Murray writes. Eventually, the site evolved into a site "meant to phish someone who would typically access the NGP VAN site on a laptop or mobile device," he writes.

Lookout analysts observed the phishing site as it was under development. (Source: Lookout Mobile Security)

Lookout reached out to the DNC, NGP VAN and DigitalOcean, which hosted the site, and it was taken down within hours, Murray says.

"The thing about 'false alarms' is that you don't know that they're false until you've showed up to investigate," Murray says in a postmortem comment on Twitter. "All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible."

Too Late to Save Midterms?

Phishing was one of the primary methods used by foreign actors to attack the DNC in 2016. Top Democratic officials were sent links to fake login pages that asked for their credentials for services such as Yahoo and Gmail.

Subsequently, some officials - most notably Hillary Clinton's campaign chairman John Podesta - saw their stolen emails and documents get released through WikiLeaks, on a WordPress site run by Guccifer 2.0, as well as on a site called DCLeaks. Security experts believe the latter two are the work of a hacking group called Fancy Bear - aka APT28, among other names - which has been tied to Russia's GRU military intelligence agency.

The GRU's dumping of stolen material, combined with coordinated social media campaigns designed to amplify existing divisions in U.S. society and to stir discontent, stands as one of most dramatic uses of internet technology designed to interfere with an election that has been seen to date.

While the U.S. is now aware of the complications and scale of the problem, Facebook's former CSO, Alex Stamos, contends that it may be too late to implement significant changes, at least in time for this year's U.S. midterm elections (see Secure 2018 US Elections: It's Too Late).

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.